Mikrotik L2tp ipsec vpn — why not ping the local network?

There is a network for MicroTCA
192.168.0.0/24
raised l2tp ipsec server
10.63.10.0/24
In the LAN there is a PC 192.168.0.66 to which you want to access via smb
Problem:
When connecting via VPN
-This PC was not pinged
-On the PC you can go via RDP
-On this PC can not go on the SMB
PS similarly configured 3 router at other sites, they all works great
April 19th 20 at 12:10
1 answer
April 19th 20 at 12:12
PS similarly configured 3 router at other sites, they all works great

- Hello, fire, come soon, the house is on fire...
- we have the window in exactly the same house, and it doesn't burn

these questions always need to follow a chart, well, or accurately describe all
at what point the network is connected?
where the trace comes?
C:\Windows\system32>tracert 192.168.0.66

Tracing route to 192.168.0.66 with a maximum number of jumps 30

1 36 ms 37 ms 40 ms 10.63.10.1
2 * * * timed out for the request.

Network one for MicroTCA 192.168.0.0/24
On Mikrotik l2tp ipsec vpn raised - VPN Network 10.63.10.0/24
PC home Windows 10 creates a connection to Mikrotik, computer on Windows gets the address of the 10.63.10.5
After the lifting session need a PC for MicroTCA (192.168.0.66) is not pinged, not the ball, but he calmly walks on RDP.
Maybe some part of the config Mikrotik to lose? Today the whole day with this problem I can not win it. Dumped Mikrotik to the factory, threw the settings with the other working microtof (they are the same hex). Raised SSTP is the same hat. The feeling that the problem is somewhere on the surface, but the eyes are blurry and we don't see it. - declan.Robe commented on April 19th 20 at 12:15
/interface bridge
add admin-mac=00:00:00:00:00:00 arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=l2tp ranges=10.63.10.10-10.63.10.50
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes local-address=192.168.0.1 name=l2tp-profile \
 remote-address=l2tp use-compression=yes use-encryption=yes
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,tikapp,!dude"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery settings
set discover-interface-list=none
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile enabled=yes \
 ipsec-secret=000 max-sessions=300 use-ipsec=yes
/interface member list
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
192.168.0.0
add address=00.000.126.31/24 interface=ether1 network=00.000.126.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=00.000.124.1,00.000.124.111
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.0/24 list=lan
add address=10.63.10.0/24 list=vpn
/ip firewall filter
add action=accept chain=forward in-interface=!ether1 out-interface=bridge \
src-address=10.63.10.0/24
add action=accept chain=forward dst-address-list=vpn src-address-list=lan
add action=accept chain=input disabled=yes protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
 connection-state=established,related disabled=yes
add action=accept chain=input comment="accept L2TP" dst-port=1701,500,4500 \
 port="" protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment=\
 "defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec policy=in ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec policy=out ipsec
add action=accept chain=forward comment=\
 "defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
 "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
 connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
 ipsec policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=00.000.126.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/24
set api-ssl disabled=yes
/ppp secret
add local-address=10.63.10.1 name=user1 password=user1 profile=l2tp-profile \
 remote-address=10.63.10.2 service=l2tp
add local-address=10.63.10.1 name=user2 password=user2 profile=l2tp-profile \
 remote-address=10.63.10.3 service=l2tp
add local-address=10.63.10.1 name=user3 password=user3 profile=l2tp-profile \
 remote-address=10.63.10.4 service=l2tp
add local-address=10.63.10.1 name=test password=test profile=l2tp-profile \
 remote-address=10.63.10.5 service=l2tp
add name=test2 password=test2 profile=l2tp-profile
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
- declan.Robe commented on April 19th 20 at 12:18
route print where?
as the network 10.63.10.0 knows about the 192.168.0.0 network ? - Betsy commented on April 19th 20 at 12:21
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 # DST-ADDRESS PREF-SRC GATEWAY DISTANCE
 0 A S 0.0.0.0/0 00.000.126.1 1
 1 ADC 10.63.10.5/32 10.63.10.1 <l2tp-test> 0
 2 ADC 00.000.126.0/24 00.000.126.31 ether1 0
 3 ADC 192.168.0.0/24 192.168.0.1 bridge 0
[admin@MikroTik] >


With PC the address 192.168.0.1 pinged fine.
In any case, it worked (and works RDP and SMB), except ping. The trouble was in the Windows 7 machine (192.168.0.66). Thanks for your help and answers! - declan.Robe commented on April 19th 20 at 12:24

Find more questions by tags MikrotikVPN